Date: Fri, 9 Aug 2002 10:08:18 -0400 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: "FBSDQ" <questions@FreeBSD.ORG> Cc: <freebsd-isp@FreeBSD.ORG> Subject: WARNING - Apache "SCALPER" worm Message-ID: <MIEPLLIBMLEEABPDBIEGAEPDCHAA.barbish@a1poweruser.com>
next in thread | raw e-mail | index | archive | help
To fix, upgrade using current version of Apache FBSD ports. FreeBSD/Scalper - VIRUS DESCRIPTION Virus name: FreeBSD/Scalper Virus type: I_Worm Infected objects: SYSTEM Detected: 2002-07-01 Evilness: Potentially destructive (corrupts data while replicating) Description: FreeBSD/Scalper is a new worm with backdoor characteristics. It is spreading using an Apache web server exploit on FreeBSD systems. The worm size is 51,199 or 51,626 bytes, depending on the version. The "chunked encoding" exploit used by Scalper can cause arbitrary code execution on the target machine, with the privileges of the Apache web server process. This exploit was discussed in the Apache Security Bulletin from 20.06.2002When executed, Scalper scans for vulnerable servers, using a very large hard-coded list of IP classes. The first byte of the target IP address is taken from the build-in list (e.g.: 46, 47, 230); the second byte is randomly generated and for the last 2 bytes the worm generates all the possible values. Scalper attacks only FreeBSD 4.5 x86 systems, running Apache versions 1.3.20 and 1.3.22-24. Using a stack overflow type exploit, a small part of the worm code gets control and uploads an uuencoded copy of the worm on the infected system, as "/tmp/.uua" and then decodes it in "/tmp/.a". The worm kills any processes named ".a", sets the executable flag of the file "/tmp/.a" and executes it. The new process has the ".a" name and its privileges is the same as the Apache server process. After this, the worm opens the UDP port (2001) and listens for remote commands. The remote commands can be: execution of shell commands; TCP, UDP, DNS flooding; Denial of Services functions; mail sending (spam mail); mail addresses collecting; view of web pages and many more. In the case of mail address collecting, the worm scans for mail addresses in all the files from the infected machine (patterns that contain the '@' and '.' characters). However, the mail addresses ended in ".hlp" or ".gov" are ignored, as well as the "webmaster@mydomain.com" address. The Scalper process can be removed from memory, by killing the process called ".a" (kill -9 .a) Analyst: Daniel Bodorin - http://www.ravantivirus.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGAEPDCHAA.barbish>